All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

REGEX in blacklist doesn't work as intended

osakachan
Communicator
‎07-13-2021 05:06 AM

Hello folks,

 

I encountered a problem when trying to filter events from WinEventLog and EventCode 4662.  When I use the next regex in a tester or in a SPL with a data set unfiltered, it works fine. But using it in a blacklist only allows a fraction of the messages when "Default Property Set" is in the first row after Properties.

 

blacklist9 = EventCode="4662" Message="(Tipo\sde\sobjeto:(?!\s*groupPolicyContainer))[\s\S]*(Propiedades:(?![\s\S]*Default Property Set))"

I tried some changes to the regex but I do not find a solution for this. Thanks for your time.

Labels (2)
Labels
0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎07-13-2021 06:26 PM

@osakachan  Can you check are you following allowed regex its little different from PCRE- inputs.conf - Splunk Documentation

0 Karma
Reply

codebuilder
Influencer
‎07-13-2021 08:38 AM

Have you tried using erex to help build your regex? It's a hidden gem, and extremely useful.

https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchReference/Erex

 

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...